Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0324: Analytic 0324

Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS.

EnterpriseAN0324AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Windows services or scheduled tasks that are made to look legitimate, then used to run untrusted binaries or LOLBAS. For leaders, the practical issue is persistence and execution hiding inside normal Windows administration patterns. If defenders cannot distinguish expected service/task changes from lookalike entries, an incident may persist longer and response teams may lose confidence in endpoint hygiene.

Executive priority

Prioritize this as a Windows endpoint resilience and SOC readiness question: do teams have reliable evidence of service and scheduled task creation or modification, and can they review suspicious naming or descriptions quickly during an incident? It supports control validation for managed detection, incident response preparation, and compliance evidence around endpoint monitoring and change accountability. Budget and control discussions should focus on whether Windows administrative activity is visible, baselined, and triageable rather than assuming that endpoint tooling alone will catch deceptive names.

Technical view

Validate collection and correlation for Windows service and scheduled task creation or modification, especially where the name or description resembles legitimate entries but the execution target is unusual, untrusted, or a LOLBAS. Because the official object does not provide a detection query or tactic mapping, detection engineering should treat this as a behavioral analytic requiring local allowlists, known-good administrative patterns, binary reputation or trust context, and execution lineage. IR teams should be able to pivot from a suspicious service or task to creator account, host, timestamp, command line or binary path, parent process, and subsequent execution.

Likely telemetry

  • Windows service creation and modification events
  • Windows scheduled task creation and modification events
  • Process execution telemetry for binaries launched by services or scheduled tasks
  • Command line and binary path metadata
  • File reputation, signing, hash, or trust indicators for executed binaries

Detection direction

  • Baseline legitimate Windows service and scheduled task names, descriptions, paths, and owners to reduce noise from normal administration.
  • Alert on newly created or modified services or tasks with legitimate-looking names or descriptions when the target binary path, signer, hash, location, or LOLBAS usage is anomalous.
  • Correlate creation or modification activity with subsequent execution rather than relying only on the object name, because the naming deception is the core behavior.
  • Tune for expected software deployment, patching, backup, monitoring, and administrative tools that commonly create services or tasks.
  • Review blind spots where endpoint logs are not retained, command line capture is disabled, scheduled task details are incomplete, or service modifications are not centrally collected.

Mitigation priorities

  • Ensure Windows endpoint logging captures service and scheduled task creation, modification, and execution context.
  • Maintain an approved baseline of services, scheduled tasks, administrative tools, and expected binary locations for critical Windows systems.
  • Restrict and monitor privileges that allow creation or modification of services and scheduled tasks.
  • Use application control, trusted signing, or reputation-based controls where appropriate to reduce execution of untrusted binaries and risky LOLBAS patterns.
  • Document investigation procedures so SOC and IR teams can rapidly validate creator identity, binary trust, execution lineage, and business legitimacy.
Analyst notes and limits

The object is a detection analytic for Windows only, with no supplied tactic mapping, relationships, or official detection logic. The decision value is in validating whether the organization can see deceptive service or scheduled task changes and connect them to anomalous execution. Local baselines are essential because legitimate administration can look similar at the event level.

This take uses only the supplied ATT&CK fields and external reference. No active exploitation, actor attribution, impact claim, or guaranteed detection coverage is implied. The official detection field is not provided, and no relationship context was supplied, so implementation details must be derived from local telemetry and environment-specific baselines.

Official MITRE ATT&CK definition

Analytic 0324

Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b1064bf0cf67854c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b1064bf0cf67…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0324
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use